Score:0

Bind9 Returning SERVFAIL for custom Zones

li flag

I'm trying to setup a DNS-Server for my Domains using Bind. The Server behaves correctly for noncustom Domains like google.com or github.com, but for my domains it always returns "SERVFAIL". I've already checked the zone file using named-checkzone which returns "OK".

My Zone config (defined in named.conf.local):

zone "michlfranken" {
  type master;
  file "/var/cache/bind/db.isiko404.dev";
};

My Options File:

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {
                80.241.218.68;
                46.182.19.48;
        };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation yes;

        listen-on-v6 { any; };
        listen-on { any; };
};
Patrick Mevzek avatar
cn flag
`SERVFAIL` should appear in your logfiles, did you look at them. Also it is not a good idea to have both recursive and authoritative service on the same server. And are you sure about `zone "michlfranken"`? This is not a FQDN inside the IANA root.
fr flag
Yeah, clarification about the zone name would be nice. named.conf may also help and named logs would also be helpfull.
Score:0
fr flag

The RHS (right-hand-side) of NS record CANNOT be a CNAME, it must be canonical name, defined as either or both A and AAA records. This is described here: In DNS can an IN NS point to a CNAME?

This is your NS record:

vesemir:~> dig @81.169.234.207 isiko404.dev ns +short
h2869709.stratoserver.net.
dns.isiko404.dev.

This is your dns.isiko404.dev record:

vesemir:~> dig @81.169.234.207 dns.isiko404.dev +norecurse +noall +answer
dns.isiko404.dev.       21600   IN      CNAME   s1.isiko404.dev.
s1.isiko404.dev.        21600   IN      A       81.169.234.207

Now, the name in zone clause should be your zone name and I guess it is "isiko404.dev", not "michlfranken".

I must say I am puzzled why I can query your server and don't see the error.

Patrick Mevzek avatar
cn flag
The zone is not defined as `isiko404.dev` in the configuration snippet given...
Patrick Mevzek avatar
cn flag
"The RHS (right-hand-side) of NS record CANNOT be a CNAME, it must be canonical name, defined as either or both A and AAA records." This is true but in practice not a fatal error in `named-checkzone` AFAIK and not something that would triggerr a `SERVFAIL`.
fr flag
Just noticed mismatch in zone name. Let's wait for indication if I guessed right...
isi_ko avatar
li flag
It seems to have been the mismatch in the zone name, I gues copy and past has it's down sides :D I'll look into that CNAME About you being able to query my Server, I'm switching from CoreDNS to Bind and just had CoreDNS running while Bind was down
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.